If you create a loopback in your trust zone then you will have to create security policy to allow traffic from untrust to trust for ssh. Or you can use the external interface and the firewall filter, be sure to remember the host-inbound-traffic for your untrust zone.
I'm not sure which would really be better. My understanding is that the sooner you filter the traffic in the processing flow, the more effecient it is. Robert Juric On Thu, Oct 13, 2011 at 8:40 AM, Daniel M Daloia Jr <[email protected] > wrote: > Hi Folks, > > Is there any reason why I shouldn't allow ssh access to a remote SRX with a > firewall filter only allowing a single network on an untrust (reth) > interface? Maybe should create a loopback instead, allow system-services > ssh, and apply the filter there? My thought for using a lo interface is why > force all traffic through the filter just for a system service? > > root@----LAB-1----# show firewall > filter FF_ALLOW_SSH { > term SSH-ALLOW { > from { > source-address { > 1.1.1.0/24; > } > destination-address { > 2.2.2.2/32; > } > destination-port ssh; > } > then accept; > } > term SSH-DENY { > from { > destination-address { > 2.2.2.2/32; > } > destination-port ssh; > } > then { > reject; > > } > } > term ANY-ALLOW { > then { > accept; > } > } > } > > root@----LAB-1----# show interfaces > reth11 { > unit 0 { > family inet { > filter { > input FF_ALLOW_SSH; > } > address 2.2.2.2/24; > } > } > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
